Health care IT departments must defend against cyber attacks — and also the NSA

Every successful cyber attack provides a learning opportunity for technologists. WannaCry provides two: Big organizations, particularly in health care, must learn to prioritize safety over compliance; and while doing that, they shouldn’t have to fight against American-made weaponry.

For a long time, many health care providers have been worried about the wrong thing in cybersecurity—compliance rather than patient safety. With the WannaCry attack, we see the most frightening example yet of the devastating consequences.

Last year, after a spate of ransomware attacks, U.S. and Canadian authorities rang a five-alarm bell about hospitals and ransomware. But at about the same, other parts of the U.S. government were busy developing cyber weapons that eventually would be used, to great effect, against hospitals worldwide.

First, the health care lesson.

So far, in one of the worst cyber attacks in recent memory, WannaCry has hit computers in 150 countries, according to Europol. The clever attack encrypts files and demands ransom from victims. The software can run in 27 different languages, according to U.S. cybersecurity officials.

U.K. health centers were hit so hard, some were turning away patients.

There’s a reason hospitals are at particular risk from these kinds of attacks. In the U.K., many were still running old systems like Windows XP, which no longer gets regular security updates from Microsoft.

Health facilities struggle with defense

These situations are not uncommon in health facilities. Many have single-task PCs scattered around the building that hardly attract a moment’s notice, let alone regular security updates. I discussed this problem recently with Geoff Gentry, part of a team from Independent Security Evaluators. They did a large-scale review of hospital cyber defenses on the U.S. East Coast last year. While old computers are a big part of the problem, old thinking is even worse, he said. In the United States, most health facilities are more worried about HIPAA lawsuits than hackers.

If someone steals a patient record, sure, they can do damage. They can perhaps mess up a patient’s credit report. But if someone hacks and alters a patient record, the consequences can be much more dire.

HIPAA falls short

“For almost two decades, HIPAA has been ineffective at protecting patient privacy, and instead has created a system of confusion, fear and busy work that has cost the industry billions. Punitive measures for compliance failures should not disincentivize the security process, and health care organizations should be rewarded for proactive security work that protects patient health and privacy,” the report says. “(HIPAA has) not been successful in curtailing the rise of successful attacks aimed at compromising patient records, as can be seen in the year over year increase in successful attacks. This is no surprise however, since compliance rarely succeeds at addressing anything more than the lowest bar of adversary faced, and so long as more and better adversaries come on to the scene, these attempts will continue to fail.”

Once again, it appears hospital systems have escaped the true nightmare scenario—wide-scale injuries or deaths resulting from misbehaving technology. But the warning signs couldn’t be more clear. That’s one lesson from WannaCry.

The other might be more profound. Why are security professionals forced to beat back NSA-made cyber-weapons today?

High-risk government cyber games

The real legacy of WannaCry will be the malware’s government-based origins. During the weekend, Microsoft called out the NSA for researching and hiding vulnerabilities, comparing this incident to theft of a U.S. missile.

“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017,” chief counsel Brad Smith wrote in a blog post. “We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”

Cooperation among countries

Smith repeated Microsoft’s recent and timely call for a “Digital Geneva Convention” that would require governments to share information on vulnerabilities, rather than stockpile them.

“This most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today—nation-state action and organized criminal action,” he said. “The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyber space to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”

There’s a lot of blame to go around for the WannaCry fiasco. Surely, organizations that allow themselves to be hit by flaws that had been patched two months earlier deserve a heaping portion. But ultimately, WannaCry shows that the kinds of cyber games played by the NSA—the kind exposed by Edward Snowden—are, in fact, dangerous. In a connected world, unintended consequences can spread very fast around the world. Sadly, solutions make the rounds much more slowly.